Full visibility of a Windows Kernel Bug with Timeless Analysis (CVE-2018-8410)

One of the situations where REVEN (aka Tetrane) really shines is digging into undocumented kernel mechanisms, especially in cases where WinDBG abstracts information away from the user.

In the following video, we will analyze a reference counting bug in the Windows Kernel (CVE-2018-8410 published by Google Project Zero) and try to understand what actually happens in the proof of concept.

This will require following reference counters using the memory history view, a bit of exploration in REVEN’s GUI, and then using a custom Python script to extract various pieces of information. The report we build will clarify an unexpected behavior (previously described by Alex Ionescu on his blog) and explain how each of the proof of concept’s syscalls contribute to the final state of the object.